Many Networks, One Identity

Over the years, I've participated in numerous IT meetings in which the topic under discussion was setting up an infrastructure to let multiple companies work together on one contract. These meetings were always filled with dread and a collective sense that achieving our aim would require too much work and provide too little return. Such projects always seemed to present major administrative headaches that were virtually impossible to resolve in the tight time frame we were allotted. Our options were either to set up a system that was dedicated to the project—a task that can't be accomplished quickly—or to create multiple copies of user profiles on the networks involved so that all participants could access the necessary information. Long-term projects were somewhat easier to deal with; we typically had time to set up a dedicated infrastructure to support multi-year efforts. But for projects with shorter life spans, the problems of integrating workers and applications often seemed insurmountable.

Enter Federated Identity Management (FIM)—a set of standards that's designed to solve the problem of letting members of disparate organizations access the resources of all enterprises involved in a project. Essentially, FIM is a single sign-on (SSO) methodology—a system that lets individuals use the same username, password, or other credentials to sign on to networks of multiple, unrelated organizations, such as business partners, autonomous business units, and remote offices, and use those networks' resources to conduct transactions. It doesn't matter whether the company that hosts the necessary resources is running Active Directory (AD), Lightweight Directory Access Protocol (LDAP), or another directory service; FIM lets a user use the same authentication information to sign on to any participant's network. FIM makes it unnecessary for the multiple companies involved in a project to run the same directory service or even create full user accounts for foreign users—each organization can maintain its own directories and still securely exchange information with its partners without significantly increasing overhead and workload.

How FIM Works FIM works by using a standardized method to communicate authentication information among partner organizations. As of this writing, the closest thing to a standardized communications methodology is the Security Assertion Markup Language (SAML).

SAML is an XML-based framework for ensuring the security of transmitted communications. SAML provides mechanisms, called assertions, which let a computer identify objects that require authentication as a person or as a device and specify what rights each requester has on the target network. SAML 1.1 has been adopted by the Liberty Alliance Project, a group of more than 150 member organizations that's developing open standards and specifications for FIM. The SAML standard is also backed by the Organization for the Advancement of Structured Information Standards (OASIS), a nonprofit international consortium that influences the development and adoption of e-business standards such as SAML and Web Services Security (WS-Security).

IBM and Microsoft are backing WS-Security, a standard that competes with SAML. Both SAML 1.1 and WS-Security use Simple Object Access Protocol (SOAP) over HTTP as their connection methodology and allow for binding of identity management applications to other communications technologies. OASIS ratified WS-Security 2004 in April, designating it as an OASIS standard. The industry and user consensus seems to be that OASIS will push for the two standards to coalesce into a unified SAML 2.0 specification. By the time you read this article, a common specification might well exist.

An Emerging Technology Vendors are starting to release standalone FIM products, such as RSA Security's RSA Federated Identity Manager, a standalone FIM application development infrastructure that supports the SAML 1.x standard. RSA Federated Identity Manager is an out-of-the-box solution that can dramatically shorten the time necessary to develop your own identity management system. However, at present you still have to build your own FIM application that's tailored to your environment—RSA Security and several other companies, including IBM (Tivoli), Netegrity, Oblix, OpenNetwork Technologies, and Ping Identity, offer only the infrastructure components that can make developing a FIM application easier.

Simplistic FIM applications already exist, such as Microsoft .NET Passport, a business-to-consumer (B2C) type of FIM application that manages your identity on the Web and lets you subscribe to MSN sites that are .NET Passport­enabled. Microsoft also offers a full-featured identity management system, called Microsoft Identity Integration Server (MIIS) 2003, which provides a centralized service that synchronizes user account information, passwords, and other identity data across multiple directories and other data sources, such as Microsoft Exchange Server and Microsoft SQL Server. To run MIIS, you need Windows Server 2003, Enterprise Edition, and SQL Server 2000, Enterprise Edition.

Will FIM catch on in the Windows world? That depends on whether businesses are willing to trust the security practices of other organizations with whom they want to create a FIM connection. The security of the FIM environment is only as strong as that of the least secure participant; thus, it's important that you first ensure that your organization and all your partners have adequate internal authentication mechanisms in place. Doing so requires that you and your partners meet to explicitly discuss and agree on the security-practice standards for each organization.

FIM is simply the first step in building an authentication methodology that will be used not only for interbusiness communication but eventually to identify and authenticate individuals so that they can access all sorts of resources. Eventually, it's possible that all of your identity information, from birth certificate to driver's license to network authentication to death certificate, will be part of an all-encompassing identity management scheme. Whether this manifestation of FIM will make identity theft a virtual impossibility or a capital offense remains to be seen. However, it certainly could turn all those jokes about this or that going into your permanent record into prophecies. For the time being, though, keep an eye on FIM; your organization just might be using it in a year or two.